[Snort-users] Proffesional Opinions ---wanted

Matt Kettler mkettler at ...4108...
Wed Sep 4 14:47:08 EDT 2002


My personal opinion, and one I've repeated often on the list, is that the 
greatest danger in flexresp is that it might lead you to believe it is 
useful in "managing attacks".

An attacker that knows you are using flexresp can actively bypass it by 
advancing the sequence number. And if someone is actually attacking your 
network by hand, they will know you're using some kind of flexresp like 
system pretty quickly. Sure they won't be able to get past it every time, 
but they can and will be able to get past it some of the time, certainly 
often enough to succeed if you were counting in flexresp to stop some 
kiddie from r00ting your box.

Flexresp is a neat little tool, and it's useful for non-security 
situations, ie: if you're using snort as a bizarre pr0n filter, or as a 
absolute last ditch effort, but NEVER treat flexresp as a sure thing. I 
think it also has some place in attempting to defend against theoretical 
attacks if a signature is generated before a patch to the server code in 
question can be made.

Flexresp is not a replacement for a well-patched server and properly 
configured firewall, but as long as you aren't counting on it to provide 
security it has some uses.


At 04:20 PM 9/4/2002 -0700, Tim wrote:
>Hey ppl,
>
>
>Just wanted to get some opinions from people with experience with 
>FLEXRESP. I have been toiling with the idea of jumping in and configuring 
>snort with this option in order to manage some of the attacks.
>
>I did re-compile snort with the flexresp option this time, ( curiosity got 
>the better of me ). I made sure to install libnet before I did so. Which 
>went fine...no errors. But I'm not sure if after running ./configure 
>--enable-flexresp if I was supposed to run make and make install again. 
>Any comments or insights to the installation process?
>
>What do you all think....is flexresp worth the effort? What are the pros 
>and cons to this little utility? Your opinions are appreciated....TIA
>
>
>Tim-Mia/Fla
>
>
>





More information about the Snort-users mailing list